Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] Apache update
On Tuesday, 18. June 2002 06:26, bliss@xxxxxxxxx wrote:
> I am not certain if this is the exploit you are talking
> about. There was no link included in the email which you

There was a CERT Advisrory issued on that this morming:
CERT Advisory CA-2002-17 Apache Web Server Chunk Handling
Vulnerability

The vulnerability is described in detail on the
Apache site:
http://httpd.apache.org/info/security_bulletin_20020617.txt

It seems that the bug is not exploitable on Linux, but I haven't
found a clear statement what this is concerned.

Perhaps Roman could comment on that.
I'm CC'ing him just in case he is to busy to read the list at the
moment...

> sent. But, the XForce email announcing an exploit
> (assumed to be what you are talking about here,
>
> specifically states:
> > > X-Force has verified that this issue is exploitable
>
> on Apache for
>
> > > Windows (Win32) version 1.3.24. Apache 1.x for Unix
>
> contains the same
>
> > > source code, but X-Force believes that successful
>
> exploitation on most
>
> > > Unix platforms is unlikely.
>
> So, if this is the vulnerability which you are talking
> about, then the reporting group states that it is
> probably not a problem on Unix (which would include SuSE
> Linux).
>
> Jim
>
> > There is an issue with apache, corroborated by the apache
> > guys,
> > with a story at /.
> >
> > Short version:
> > Are we waiting for the apache team to come up with a patch,
> > or do you guys have an idea of a fix? Is this remotely
> > exploitable, or just a dos with apache 1.3.x?
> >
> > --
> > To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here

Regards,
Robert

--
Where do you want to be tomorrow?

Entracom. Building Linux systems.
http://www.entracom.de

< Previous Next >
Follow Ups
References